Reputation: 1959
how to retrieve current user granted RBAC with kubectl
One can create Role or ClusterRole and assign it to user via RoleBinding or ClusterRoleBinding.
from user view that have a token, how to get all granted permissions or roles\rolebindings applied to him via kubectl?
Upvotes: 20
Views: 36912
Answers (2)
Reputation: 10738
I think you are looking for command kubectl auth can-i --list for listing all user permissions:
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
persistentvolumeclaims [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods [] [] [get list watch create delete deletecollection patch update]
events [] [] [get list watch]
pods/log [] [] [get list watch]
configmaps [] [] [get watch list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [global-unrestricted-psp] [use]
You can also see another user permissions by adding --as=[user-name]
For example: kubectl auth can-i --list --as=jenkins
As for more granular information of roles, cluster roles per service account or specific actions (verbs) allowed to performed on specific resources refer to this answer.
Upvotes: 22
Reputation: 18373
# Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
# Check to see if I can create pods in any namespace
kubectl auth can-i create pods --all-namespaces
# Check to see if I can list deployments in my current namespace
kubectl auth can-i list deployments.extensions
you can get further information with kubectl auth --help command
You can also impersonate as a different user to check their permission with the following flag --as or --as-group
kubectl auth can-i create deployments --namespace default --as john.cena
Upvotes: 32
Related Questions
- Get access token for k8s rbac user
- Create user in Kubernetes for kubectl
- Kubernetes RBAC - user has access to get pods but it says 'Unauthorized'
- Kubernetes RBAC default user
- Kubernetes permission issue
- Kubernetes RBAC authentication for default user
- restricting EKS user access
- Kubernetes [RBAC]: User with access to specific Pods
- Implementing RBAC, the default user still retains access even after applying roleBinding
- User access using kubectl